Strategy: FISMA Lifts All Compliance Boats

Randy George02/29/12

Strategy: FISMA Lifts All Compliance Boats

The Federal Information Security Management Act (FISMA) is geared specifically toward government agencies, so it’s not a common topic of conversation at most IT water bubblers. However, before you assume that FISMA doesn’t apply to you, keep in mind that if your company does business with any government agency—or may in the future—you will be subject to FISMA’s mandates.

In many respects, the core principles of FISMA are the same as mandates companies deal with more commonly, such as the Sarbanes-Oxley (SOX) Act and the Payment Card Industry (PCI) Act. However, FISMA is different from these and other mandates in many ways. In this report, we will distill the core elements of FISMA into digestible chunks and summarize how FISMA differs from other mandates in the way that it requires IT execs to uniquely categorize and classify information assets, as well as apply specific security measures. We’ll provide some examples of how and where FISMA applies security based on the criticality of the system under protection, as well as recommend broad categories of tools and processes that address multiple aspects of the FISMA mandate.

The good news is that companies that come into compliance with FISMA will find that they are at or near compliance with almost every other security mandate. (S4420312)